HIPAA compliancy makes sense if you understand all the rules, but unfortunately, only a few have the time, resources, and training invested.
Most healthcare professionals understand the importance of PHI, and their intentions would never be to purposely place this information at risk. The challenge is that these professionals earn their living by providing the services that they spent eight years in school for. Their level of success is directly tied to billable hours, or how much time is spent offering healthcare services. School did not prepare them to be IT or legal experts, yet HIPAA regulations pertaining to PHI treat them that way. The fines associated with a data breach carry the power to cripple their business.
The risk doesn’t stop at the practice. HIPAA Compliancy is a requirement for all Covered Entities including Business Associates. If you are an IT service provider, it doesn’t really matter if you are healthcare specific or not. Having at least one healthcare customer with PHI, and hosting/managing that data as a Business Associate, makes you just as “at risk” for non-compliance penalties.
Today, me and my network of PHI protection experts offer you the following instructions* to help solve the HIPAA PHI compliancy puzzle:
PHI Protection under the laws of HIPAA covers 3 main areas.
- Confidentiality – PHI under your care needs to be saved in a non-readable format, and there must not be any visible association to a specific individual (or patient).
- Integrity – The data must remain in the same format that it was originally saved – it has to be tamperproof. Also, access to this data must be limited to only those qualified to view it.
- Availability – PHI can’t be lost, and it needs to be recoverable and usable within a reasonable period of time.
Basic guidelines (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Tripwire Guest Authors. Read the original post at: The State of Security